Laws and Regulations Applicable to Dutch Licensed Banks

Dutch licensed banks are regulated by a broad set of laws which predominantly arise from European directives, regulations and guidelines issued by the European supervisory authorities.

The main European regulations (not exhaustive) are:

• the Capital Requirements Directive (2013/36/EU);
• the Capital Requirements Regulation ((EU) 575/2013);
• the Deposit Guarantee Schemes Directive (2014/49/EU);
• the Bank Recovery and Resolution Directive (2014/59/EU);
• the Anti-Money Laundering Directive ((EU) 2015/849), as amended, AMLD);
• to the extent that a bank performs investment services: the second Markets in Financial Instruments Directive (2014/65/EU), the Markets in Financial Instruments Regulation ((EU) 600/2014) and delegated regulations and technical standards thereto; and
• for payment services provided by the bank: the revised Payment Services Directive ((EU) 2015/2366).

European Regulations have direct effect in the Netherlands and are not separately copied in Dutch laws. The abovementioned  European Directives, except AMLD, are implemented in Dutch law in the Dutch Financial Supervision Act (Wet op het financieel toezicht, DFSA) and underlying regulations. AMLD is implemented in the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act (Wet ter voorkoming van witwassen en financieren van terrorisme).

The DFSA is the main law governing financial institutions, including banks, and, for example, provides rules on authorisation, the code of conduct, capital, capital markets, and division of tasks/co-operation between the relevant regulatory authorities.

In addition to implementing European laws, the DFSA contains purely national laws, such as rules on the duty of care that applies to banks and remuneration rules, which are more stringent than European laws.

Another important source of regulation is formed by a set of guidelines issued by the European Banking Authority (EBA). Although these guidelines are not formal law, the Dutch Central Bank (De Nederlandsche Bank, DNB) must apply these guidelines unless it has informed the EBA that it will deviate from the guidelines, which only happens on rare occasions. For example, the EBA guidelines provide detailed rules on the governance of banks and outsourcing of operations by banks. Also notable is the ECB Guide on climate-related and environmental risks.

Supervisory Authorities

The main regulators for banks are:

• the European Central Bank (ECB);
• the DNB; and
• the Dutch Authority for the financial markets (Autoriteit financiele markten, AFM).

The division of tasks between the ECB and the national regulators is based on the SSM Regulation and the SSM Framework Regulation, and is summarised below.

• The ECB is responsible for (i) granting and revoking bank licenses; (ii) granting Declarations of No Objection (verklaring van geen bezwaar, DNO) to qualified holders in a licensed bank, being those entities/persons that (in)directly hold 10% or more of the shares, voting right or comparable control in a bank; and (iii) ongoing supervision of banks that qualify as significant institutions. Ongoing supervision is performed by Joint Supervisory Teams (JSTs), which are composed of ECB staff and staff of the national regulators.
• Under overall oversight by the ECB, the DNB is responsible for prudential supervision of non-significant banks.
• The AFM is responsible for ongoing code of conduct supervision of non-significant banks (gedragstoezicht).

The AFM and the DNB closely co-operate. In practice, Dutch-licensed banks primarily interact with the DNB as part of ongoing supervision, including code of conduct supervision.

Introduction to Banking Licenses in the Netherlands

The requirement to obtain a banking license in the Netherlands is laid down in the DFSA in conjunction with the Capital Requirements Regulation (CRR). Broadly, a license is required when an institution both (i) takes deposits or other repayable funds from the public (such as attracting debt); and (ii) grants credit for its own account.

Limited exemptions to the license requirement exist, such as the exemption for group financing companies, which covers institutions that raise funds through the issuance of securities and use these funds within their corporate group, subject to certain conditions.

The available services that a bank can apply for under a license are set out in Annex I to the Capital Requirements Directive (CRD). At a minimum, such services must include taking deposits and other repayable funds, as well as granting credit for own account. Depending on the activities of the institution, other services set out in this Annex must be applied for as part of the license application process or later added following a license expansion or notification procedure. These include but are not limited to:

• investment activities or investment services originating from the Markets in Financial Instruments Directive 2 (MiFID2);
• e-money and payment services originating from the Electronic Money Directive 2 (EMD2) and Payment Services Directive 2 (PSD2); and
• consumer credit provision and servicing.

Further, all ten services following from the Markets in Crypto Assets Regulation (MiCAR) will be available to banks as well following the notification procedure at the end of 2024. In all cases the respective bank must adhere to relevant additional conduct of business requirements set out in the DFSA or applicable regulations.

Licensing Process

In practice, two phases can be distinguished in the process of obtaining a banking license: the preliminary phase and the formal phase. The preliminary phase is used by the DNB and the ECB to provide feedback to the applicant prior to the formal license being submitted. Formal submission must be done via the IMAS portal operated by the ECB. The application itself, along with all subsequent communication, is conducted primarily in English through the DNB. This reflects the international standards and practices of the banking industry. The DNB offers comprehensive resources on its website, providing applicants with essential information on relevant laws, terms, and regulations. This includes updates and guidance, ensuring applicants are well-informed throughout the process.

Once the formal license application is received, the formal decision-making timeframe is 26 weeks. However, this period can be extended if further information is required or if additional questions arise from the application. The quality and completeness of the application are crucial as they significantly influence the duration of the process. Upon finalisation of the review by the DNB, the DNB provides a draft proposal to the ECB and the ECB will issue the final decision on the license application. In practice, close to finalisation of the review by the DNB, the DNB will first share a written intention for a draft proposal with the ECB. The ECB will then review and provide feedback to the DNB, allowing the DNB and the applicant to address concerns that the ECB may have with the draft proposal.

The banking license application process, overseen by the DNB and the ECB, is designed to ensure that new banking entities meet the many standards necessary for operating in the financial sector. In addition to the license application process, all direct and indirect qualifying shareholders of the prospective bank have to obtain a DNO from the ECB. The application process for DNOs runs parallel to the banking license process and ultimately is part of the draft proposal prepared by the DNB for the ECB to formally decide on.

The cost of processing a banking license application applies regardless of the outcome of the application, whether it results in the granting, rejection, withdrawal, or a temporary hold of the license.

European Passport

A Dutch-licensed bank that seeks to provide services in other European Economic Area (EEA) jurisdictions can do so on the basis of a so-called European passport, either by opening a branch or providing cross-border services in the respective EEA jurisdictions. The process of obtaining a passport involves several stages.

A Dutch-licensed bank can follow a passport notification procedure through the IMAS portal of the ECB which will then be forwarded to the DNB. The services that a Dutch-licensed bank can provide in other EEA jurisdictions may be all or a selection of services for which the Dutch-licensed bank is authorised. When launching new activities or changing notification details, the Dutch-licensed bank must re-run the notification procedure. On receipt of a European passport notification, the DNB, as regulator of the home member state, will assess the completeness and accuracy of the information provided. Where the information provided in the notification is assessed to be incomplete or incorrect, the DNB must inform the bank without delay, indicating in which respect the information is assessed to be incomplete or incorrect. The DNB must, within one month of receipt of a complete and accurate notification, send that notification to the competent regulator of the host state.

To establish a branch, the DNB submits the branch notification to the host state regulator within thirteen weeks. The host state regulator then has two months to prepare its supervision for the new branch. Unlike the provision of cross-border services, a branch can start its activities two months after the host state regulator confirms the receipt of a complete notification.

For the acquisition, holding, or increase of a qualifying holding in a Dutch-licensed bank, prior approval from the ECB is required in the form of a DNO.

The requirements regarding DNOs are laid down in sections 1.6.1a and 3.3.11.1 DFSA. Furthermore, the following guidelines are relevant:

• EBA, EIOPA and ESMA Guidelines on qualifying holdings of December 2016 (the “Joint Guidelines”); and
• ECB Guide on qualifying holding procedures of March 2023.

Qualifying Holding

There are three situations in which a qualifying holding exists:

• a direct or indirect holding of 10% or more of the issued capital of a Dutch-licensed bank;
• the power to exercise, directly or indirectly, 10% or more of the voting rights in a Dutch-licensed bank; or
• the power to exercise a significant influence over the management of a Dutch-licensed bank.

To assess whether qualifying holdings exist, the ownership chain of the Dutch-licensed bank must be analysed using the calculation methods set out in the Joint Guidelines. The calculation methods include certain aggregation rules. One such rule is that for parties that “act in concert”, the holdings of the relevant parties are aggregated, and each party is considered to hold the resulting aggregated percentage. The Joint Guidelines list various indicative factors for acting in concert, including the existence of family relationships or a consistent voting pattern.

In complex acquisition structures, such as private equity firms, sovereign wealth funds and conglomerates, an extensive qualifying holding analysis may be required.

DNO Application

A DNO must be obtained from the ECB. The DNB plays a key role in preparations and serves as the primary contact. The DNO application form is to be submitted through the ECB’s IMAS Portal. The current version of the form requests applicants to also submit one or more ancillary forms through the DNB’s MyDNB Portal. The statutory consideration period is 62 business days, which can be extended once by 30 business days if supplementary information is needed.

The DNO assessment encompasses at a high level the following areas:

• (i) the integrity (betrouwbaarheid) and reputation (reputatie) of the qualifying holder;
• (ii) the financial soundness of the qualifying holder;
• (iii) whether the licensed bank will be able to continue meeting its prudential requirements as a result of the holding; and
• (iv) whether the holding may involve actual or attempted money laundering or terrorist financing or might increase the risk thereof.

For legal entity DNO applicants, the individuals who effectively direct the business of the legal entity are also screened. This screening primarily relates to areas (i) and (iv).

Ongoing Requirements

Once the DNO is obtained, ongoing requirements apply towards the ECB and/or DNB, such as the requirements to:

• notify material changes in previously provided information or circumstances;
• report any instances where the holding falls below 10%, 20%, 33%, 50% or 100%;
• obtain a new DNO before increasing the holding to or above 20%, 33%, 50% or 100%, unless the threshold falls within the specified bandwidth of the existing DNO; and
• obtain prior approval for appointing new individuals who effectively direct the business of a legal entity holding a DNO.

The legal basis for the corporate governance requirements applicable to Dutch-licensed banks follows from (i) the DFSA; (ii) Book 2 of the Dutch Civil Code (Burgerlijk Wetboek); (iii) the EBA Guidelines on internal governance; and (iv) the Dutch Corporate Governance Code (DCGC). 

Two-tier Model

The DFSA determines that a Dutch-licensed bank must apply a two-tier model, whereby management is separate from supervision. Management is performed by a management board consisting solely of executive directors, while management supervision is carried out by the supervisory board. As follows from the Dutch Civil Code and the EBA Guidelines on internal governance:

• the management board is responsible for the general day-to-day operations of the bank; and
• the supervisory board supervises the management board and provides the management board with solicited and unsolicited advice. 

The DFSA determines that the day-to-day operations of the bank must be determined by at least two individuals that operate from the Netherlands. The day-to-day management is considered to be performed by the management board.

The supervisory board must consist of at least three individuals. All members of the supervisory board must be independent in mind and appearance. In addition, at least 50% of the supervisory board members must meet formal independence criteria. If a bank is significant, the supervisory board must establish a risk committee, nomination committee, and a remuneration committee from among its members.

EBA Guidelines on Internal Governance

Apart from the statutory laws set out in the DFSA, the EBA Guidelines on internal governance are the main source as regards the organisation of the internal governance of banks. The EBA Guidelines contain detailed provisions regarding a broad set of topics which focus on ensuring sound internal governance. For example, the EBA Guidelines determine that banks must have a compliance function, a risk function and an independent internal audit function and provide detailed provisions as regards the composition and tasks of such functions.

DCGC

In addition to the EBA Guidelines on internal governance, the DCGC provides best practices regarding (i) sustainable long-term value creation; (ii) effective management and supervision; (iii) remuneration; and (iv) the relationship with and role of the shareholders. The DCGC is formally only applicable to listed companies. However, the DNB generally expects Dutch-licensed banks to take the DCGC into account. The DCGC applies on a “comply or explain” basis.

Fit and Proper Screening

Individuals appointed as management board members (ie, day-to-day policymakers) or as supervisory board members are subject to screening by the DNB or the ECB. The division of tasks between the DNB and the ECB depends on whether it concerns screening in the context of a license application and whether it concerns a significant or non-significant bank.

The regulator (ie, the DNB or the ECB) assesses whether the integrity (betrouwbaarheid) of the individual subject to screening is beyond doubt and whether the individual is suitable (geschikt) for the function. This is sometimes also referred to as fit and proper screening.

Integrity screening relates to the individual and not to the function that the individual will hold. Integrity is assessed on the basis of antecedents disclosed in a standard questionnaire. Suitability screening involves an assessment of whether the individual has sufficient and relevant knowledge, work experience and other relevant competencies for the function to be held.

Screening Requirements for Second-Echelon Functions

Screening criteria also apply to second-echelon functions. The second echelon is comprised of individuals who fulfil a management position directly below the executive board, and who will be responsible for natural persons whose activities can have a significant impact on the risk profile of the Dutch-licensed bank. For the second echelon, the DNB assesses the integrity and the bank itself must establish whether the individual is suitable.

An individual cannot assume their position until receiving a positive screening decision from the regulator.

The legal basis for the remuneration requirements applicable to Dutch-licensed banks follows from the DFSA, the Regulation on Sound Remuneration Policy DFSA (Regeling beheerst beloningsbeleid Wft 2021, Rbb),  the EBA Guidelines on Sound Remuneration policies, and the DCGC.

These regulations and guidelines differentiate between several types of staff, and each may have different requirements for fixed remuneration and variable remuneration.

DFSA

The remuneration rules in the DFSA apply to individuals working under the responsibility of the Dutch-licensed bank, and its subsidiaries. The most relevant remuneration requirements under the DFSA are as follows:

• Remuneration policy requirements: Banks must have a remuneration policy tailored to their size and activities, among others setting out specific principles for awarding fixed and variable remuneration.
• Disclosure requirements: Banks must publish a description of their remuneration policy in their annual accounts and on their website, including information on the amount of variable remuneration awarded.
• Bonus cap: The amount of variable remuneration awarded must be limited to 20% of the individual’s fixed remuneration. There are limited exemptions to this bonus cap, such as for individuals predominantly working outside of the Netherlands.
• Welcome bonuses and severance payments: Banks can only award guaranteed variable remuneration (welcome bonuses) and severance payments under specific conditions. 
• Malus and clawback: In certain circumstances, banks can reduce or reclaim variable remuneration (also known as malus and clawback measures).
• Retention of shares: A retention requirement of five years applies to shares (or comparable instrument) awarded by the bank as fixed remuneration.

A breach of these remuneration rules, such as an employment contract in breach of the Dutch bonus cap rules, is considered null and void (nietig) under Dutch law.

RBB

The RBB contains remuneration requirements for individuals who can materially affect the risk profile of the bank (identified staff). The Rbb implements most of the remuneration requirements following CRD IV. As follows from the Rbb: 

• The supervisory board must adopt the remuneration policy of the bank, and must be responsible for reviewing and implementing this policy.
• Significant banks must establish a remuneration committee responsible for, inter alia, preparing remuneration decisions to be made by the supervisory board. 
• A significant portion of variable remuneration (at least 50%) must consist of shares (or comparable instruments), which must also be subject to an appropriate retention period linked to the bank’s performance.
• When awarding variable remuneration, a considerable portion (at least 40%) must be deferred over a period of at least four to five years (depending on the individual’s role).

An exemption exists to the financial instruments and deferral requirements described above, available to small banks and individuals who are awarded a certain (limited) amount of variable remuneration.

EBA Guidelines on Sound Remuneration Policies

The DNB applies the EBA Guidelines in its supervision of Dutch-licensed banks, which further detail the remuneration requirements as set out in the DFSA and Rbb. The EBA sets detailed remuneration requirements, such as on the identification process of identified staff, the tasks and responsibilities of the remuneration committee and the pay-out process for variable remuneration.

Dutch Corporate Governance Code

According to the DCGC, the supervisory board should determine the remuneration of the individual management board members, within the boundaries of the management board remuneration policy as adopted by the general meeting of the company.

The Dutch legal framework on anti-money laundering and counter-terrorist financing (AML-CFT)  primarily consists of the following legislation and guidelines:

• the Dutch anti-money laundering act (Wet ter voorkoming van witwassen en financieren van terrorisme, Dutch AML Act) and underlying regulations;
• EBA Guidelines, such as the EBA Guidelines on ML/TF risk factors; and
• the DNB Guideline on AML-CFT, which is expected to be replaced by the DNB AML-CFT Q&As and Good Practices that were consulted by the DNB in October 2023.

Dutch AML Act

The three main elements of the Dutch AML Act are outlined below.

AML-CFT risk analysis

The Dutch AML Act follows a risk-based approach. The actual measures that banks implement in the context of these requirements depend on the associated risks. The cornerstone of the risk-based approach is the AML-CFT risk analysis, based on which the concrete AML-CTF measures must be determined. The AML-CFT risk analysis is often part of the Systematic Integrity Risk Analysis (SIRA).

Customer due diligence (CDD)

The purpose of conducting CDD is that the bank knows who it is doing business with. CDD, among others, requires the bank to identify and verify the identity of a customer, its Ultimate Beneficial Owner(s) (UBO), the individual(s) representing the customer and the purpose and nature of the business relationship.

CDD is required when the bank enters into a business relationship with a customer or when it conducts an incidental transaction(s) amounting to EUR15,000 or more on behalf of the customer. The bank applies (i) regular; (ii) simplified; or (iii) enhanced CDD, each with minimum requirements depending on the customer risks involved.

Throughout the business relationship, the bank is obligated to conduct CDD reviews, typically triggered periodically or based on specific events.

Transaction monitoring

Banks must monitor transactions within a business relationship to identify unusual activities by means of objective and subjective indicators as laid down in the Dutch AML Act. If a transaction meets certain criteria, it qualifies as unusual and must be promptly reported to the Financial Intelligence Unit Netherlands (FIU-NL).

New AML-CFT Industry Baselines

A recent development in 2023 is that the DNB has entered into discussions with the Dutch Banking Association (De Nederlandse Vereniging van Banken, DBA), of which nearly all Dutch banks are members. The aim of the discussions is to come to an AML-CTF framework that increases the impact on clients that pose actual risks, while minimising the impact on bona fide clients. As a result of these discussions, the DBA has drafted and published industry baselines that set out the clear starting points for the risk-based application of the open standards in the Dutch AML Act in CDD by banks.

Dutch Deposit Guarantee Scheme

The Dutch Deposit Guarantee Scheme (DGS) is laid down in Section 3.5.6 of the DFSA and the relevant regulations thereto. The DGS implements the EU Directive 2014/49/EU on deposit guarantee schemes. The DGS regime is administered by the DNB and the DGS funds are kept in the Deposit Guarantee Fund (depositogarantiefonds, DGF) which is managed by the DNB.

Since 2016, Dutch-licensed banks have been required to contribute to the DGF quarterly. The target is for the DGF to reach at least 0.8% of the deposits guaranteed under the DGS by 2024. These contributions are divided into collective and individualised components, with the DNB determining each bank’s contribution based on their deposit base and that of all banks combined. Supplementary contributions may be set if covered deposits increase. When the DNB has to repay depositors out of the DGF, but the available funds in the DGF are not sufficient to finance the payments, extraordinary contributions are levied. The DNB determines these contributions ex post and may ask banks for an advance payment if needed.

Accounts Eligible for Protection Under the Dutch DGS

Various types of accounts are eligible for protection under the DGS. These include:

• Payment Accounts: This category covers standard bank accounts used for daily financial transactions, such as current accounts.
• Savings Accounts: Accounts specifically designated for saving money, which may offer interest on the saved amount, are protected.
• Fixed-Term Deposits: These are deposits made for a fixed period, often at a fixed interest rate, and cannot be accessed until the term ends without incurring penalties.
• Life-Cycle Saving Schemes: These accounts are designed for long-term saving, often linked to significant life events like retirement.
• Bank Savings Accounts: Similar to regular savings accounts, these accounts may have specific terms and conditions regarding deposits and withdrawals.
• Investment Accounts: These accounts hold investments rather than cash.

It is important to note that while the account itself may be covered, investment products (like shares or bonds) held within these accounts are not covered by the DGS. Furthermore, subordinated deposits are generally not covered by the DGS.

The types of account holders covered include:

• Natural persons: Personal account holders, irrespective of their age, nationality, or residence status, are covered by the DGS.
• Businesses: Small, medium, and large businesses holding accounts in participating banks are eligible for protection.
• Associations and Foundations: Non-profit organisations, including associations and foundations, are also covered under the scheme.
• Joint Account Holders: Accounts held jointly by multiple individuals are protected. The coverage is typically divided equally among the account holders unless a different division is agreed upon.

Notably, the DGS excludes certain account holders from its protection, such as account holders involved in financial crimes and account holders who have failed to provide necessary identity verification documents.

Maximum Reimbursement

The maximum reimbursement under the DGS is EUR100,000 per account holder per bank. This applies collectively to all the accounts a person holds with the same bank. Joint accounts and accounts held in the names of two or more legal persons have their cover calculated proportionately, unless a different division is agreed upon in advance. The limit of EUR100,000 still applies in these cases.

In the Netherlands, there are no specific legal provisions on bank secrecy. Nevertheless, all customer data must be treated as confidential by Dutch-licensed banks.

Obligations to Share Customer Data

The confidentiality obligations are embedded in the rules on the duty of care requirements, various data protection and privacy laws that apply to banks and follow from the contractual relationship between a bank and its customers. Information can be regarded as confidential if there are obligations to customers or other counterparty relationships binding a bank to confidentiality. Not treating customer data confidentially may therefore result in a violation of that contract, data privacy laws or, as the case may be, the rules on the duty of care that apply to a bank.

However, in some instances, Dutch-licensed banks may be required to provide personal data to authorities such as the Dutch Tax and Customs Administration (for preventing tax evasion purposes), or the public prosecutor’s office (for criminal investigation purposes). Such legal obligations follow inter alia from the DFSA and the Dutch AML Act. Additionally, Dutch-licensed banks are required to provide data to the DNB of deposit holders for the purpose of the DGS. Please refer to 6.1 Depositor Protection Regime.

For the purposes of fraud prevention, Dutch-licensed banks are permitted by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) to share consumer data with certain third parties under strict conditions, despite strict privacy laws.

Data Referral Portal

The Banking Information Reference Portal, as introduced in September 2020, is a digital facility for automated disclosure of identification data demanded by competent investigative authorities and the Dutch Tax and Customs Administration. As follows from the DFSA, Dutch-licensed banks and other payment service providers offering accounts with a Dutch international bank account number (IBAN, as referred to in the SEPA Regulation) are under a statutory duty to comply with demands for disclosure from these authorities. The DNB is responsible for monitoring institutions’ compliance with the statutory duty to register with the Banking Information Reference Portal.

Bankers’ Oath

All employees of a Dutch-licensed bank working in the Netherlands must take an oath or affirmation of good conduct (the Bankers’ Oath), regardless of the nature of their contract. By taking the oath or affirmation, an employee declares that they will follow the code of conduct and the disciplinary regulations for the banking sector (Tuchtreglement bancaire sector). This means, among other things, that the bank employee shall not provide any confidential information about customers to third parties without the customer’s permission. The employee shall only disclose information about customers when required to do so by law, a judge or the supervisory body.

The obligation to take the Bankers’ Oath also applies to employees of Dutch branches of banks that do not have a seat in a member state.

Prudential Regime for Banks

The legal basis for prudential supervision in the Netherlands follows from CRR and CRD IV as implemented in the DFSA and the Decree on Prudential Rules for Financial Undertakings (Besluit Prudentiële regels Wft, Bpr). These rules cover risk management, capital requirements and liquidity requirements for Dutch-licensed banks and branches of banks with a registered office in a non-member state conducting business in the Netherlands.

The prudential rules of CRR and CRD IV are the European implementation of the international Basel III standards (Basel III). Basel III is an international regulatory framework that aims to strengthen the regulation, supervision and risk management of the banking sector.

Risk Management

Dutch-licensed banks are required to have sound risk management policies to control relevant risks. Relevant risks at least include concentration risks, credit risks, counter-party risks, liquidity risks, market risks, operational risks, interest rate risks from non-trading activities, rest risks, risks due to excessive leverage, securitisation risks, insurance risks, lapse risk and risks arising from the macro-economic environment in which the bank operates and which are related to the state of the business cycle.

Risk management policies must be translated into specific procedures and measures to control the relevant risks and must be integrated into the business processes of the bank. The procedures and measures must consist of, inter alia, authorisation procedures, limit settings and limit monitoring tailored to the bank’s nature, size, risk profile and complexity.

Dutch-licensed banks must have an independent risk management function. This function is tasked with systematically and independently conducting risk management, aimed at identifying, measuring and evaluating the risks the bank are exposed to. The management board and the supervisory board must be actively involved in a bank’s risk management.

Capital Requirements

To ensure financial stability and mitigate risks, banks are subject to two distinct regulatory measures: capital requirements and liquidity requirements. The first set of measures follows from the CRR, and aims to establish minimum capital requirements for credit, market, and operational risks. This requires banks to maintain an adequate capital buffer to absorb unexpected financial setbacks. Capital requirements can be divided into (i) qualitative; and (ii) quantitative requirements.

Qualitative requirements

The CRR addresses the quality of capital by the extent to which the capital can absorb losses and classifies the capital into different tiers.

Tier 1 capital, comprised of Common Tier 1 (CET1) capital and Additional Tier 1 (AT1) capital:

• CET1 capital: As the highest quality of capital, CET1 capital represents the core equity capital of a bank and enables it to absorb losses immediately without significantly impacting its operations or stability. It consists of capital instruments, share premium accounts related to these capital instruments, retained earnings, accumulated other comprehensive income, other reserves and funds for general banking risks.
• AT1 capital: AT1 capital is Tier 1 capital that is not CET1 capital and consists of capital instruments and the share premium accounts related to these capital instruments. AT1 capital has certain characteristics; eg, the provisions governing the instruments must require that, when the CET1 capital ratio falls below 5.125%, the principal amount of the instruments will be written down on a permanent or temporary basis or the instruments will be converted into CET1 instruments.
• Tier 2 capital: Tier 2 capital is considered to be of lower quality. This tier includes instruments such as subordinated debt instruments, which hold a subordinate position to other debts in the event of liquidation or bankruptcy. While Tier 1 capital forms the primary layer of a bank’s capital structure, Tier 2 capital provides an additional cushion.

Quantitative requirements

In order to ensure that banks maintain sufficient financial cushion to absorb potential losses, the CRR addresses the quantity of capital by stipulating that banks must maintain specific capital ratios, expressed as percentages of the total risk exposure amount. This exposure amount is calculated using risk-weighted assets. Banks must maintain (i) a Common Equity Tier 1 capital ratio of 4.5%; (ii) a Tier 1 capital ratio of 6%; and (iii) a total capital ratio of 8%.

The leverage ratio is calculated by dividing a bank’s Tier 1 capital by its total exposure. Unlike the capital ratios above, the leverage ratio takes into account the unweighted total exposure rather than the total risk-weighted exposure. Banks are required to maintain a minimum of 3% leverage ratio.

In addition to the mentioned capital ratios, banks must uphold a capital buffer, comprising the following elements: (i) the capital conservation buffer, set at 2.5%, which consists of CET1 capital; and (ii) the institution-specific countercyclical capital buffer, determined by the DNB and presently set at 2%.

Systemically important banks may be subject to additional buffer requirements, including a Global Systemically Important Institution buffer (G-SII) or an Other Systemically Important Institution (O-SII) buffer, as well as a systemic risk buffer.

Liquidity requirements

Besides the capital requirements, Dutch-licensed banks must adhere to liquidity requirements. These requirements are designed to guarantee that Dutch-licensed banks maintain an adequate amount of liquid assets to fulfil their short-term obligations, particularly in times of financial strain. The CRR outlines two primary liquidity requirements: the liquidity coverage ratio and the stable funding ratio.

The liquidity coverage ratio focuses on short-term liquidity risks and requires banks to hold sufficient liquid assets to be able to convert these assets into cash under stressed conditions over a thirty-day period. The stable funding ratio, on the other hand, focuses on the long-term liquidity risks and requires banks to ensure that their long-term obligations are met with diverse stable funding instruments.

The key piece of legislation around insolvency, recovery and resolution of banks is the Bank Recovery and Resolution Directive (BRRD). BRRD is implemented in Part 3A of the DFSA.

The BRRD serves the purpose of ensuring the continuity of a bank’s critical financial and economic function, while minimising the impact of a bank’s failure on the economy and financial system. To that effect, the BRRD provides the national resolution authorities (the DNB in the Netherlands) with a set of tools to intervene sufficiently early and quickly in an unsound or failing bank.

The BRRD distinguished three phases with regard to recovery and resolution:

• recovery and resolution planning (Title II BRRD);
• early intervention for recovery (Title III BRRD); and
• resolution (Title IV BRRD).

Phase 1: Recovery and Resolution Planning

Dutch-licensed banks must establish a recovery plan. The recovery plan must include a framework of qualitative and quantitative indicators identifying the points at which escalation processes/action plans must be activated. The EBA has issued guidelines on the minimum indicators that banks must include in their recovery plan (EBA Guidelines on recovery plan indicators).

The DNB, as the resolution authority in the Netherlands, must establish a recovery plan for each licensed bank. The recovery plan will be based on information to be provided by the respective bank.

Recovery and resolution plans must be updated at least annually.

Phase 2: Early Intervention for Recovery

If the financial condition of a bank is rapidly deteriorating (as further set out in the EBA Guidelines on early intervention triggers), the BRRD confers a number of powers on the DNB to intervene. These powers include:

• convening (with or without management co-operation) a meeting of shareholders of the bank and requiring certain decisions to be considered for adoption by the shareholders;
• requiring one or more members of the management body or senior management to be removed or replaced; and
• requiring changes to the strategy, legal or operational structures.

If the powers reflected above do not suffice, the DNB may impose the following (additional) measures:

• the removal of the senior management or management body of the institution, in its entirety or with regard to individuals; or
• the appointment of one or more temporary administrators to the bank.

Phase 3: Resolution

The BRRD provides for resolution tools. The aim of applying such tools is (i) to ensure the continuity of critical functions; (ii) to avoid a significant adverse effect on the financial system; (iii) to minimise reliance on public financial support (ie, prevent a bailout); and (iv) to protect depositors, client funds and client assets.

Resolution tools can only be applied if all of the following conditions are met:

• (i) the DNB determines that the bank is failing or is likely to fail;
• (ii) there is no reasonable prospect that any alternative private sector measures, including the write-down or conversion of relevant capital instruments and eligible liabilities, would prevent the failure of the bank within a reasonable timeframe; and
• (iii) resolution is necessary in the public interest.

As regards condition (i), a bank is failing or likely to fail if:

• the bank infringes or likely will, in the near future, infringe the requirements for continuing authorisation in a way that would justify the withdrawal of the authorisation;
• the assets of the bank are or will, in the near future, be less than its liabilities;
• the institution is or will, in the near future, be unable to pay its debts or other liabilities as they fall due; or
• extraordinary public financial support is required.

The BRRD distinguishes four resolution tools, which may be applied individually or in any combination, as outlined below.

The sale of business tool

• The DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a purchaser that is not a bridge institution. This transfer does not require shareholder consent.
• If only the sale of business tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The bridge institution tool

• The DNB can transfer the shares in the bank or (part of) the assets, rights or liabilities to a bridge institution. This transfer does not require shareholders consent.
• A bridge institution must be wholly or partially owned by one or more public authorities and is controlled by the DNB.
• The purpose of the bridge institution is maintaining access to critical functions of the bank and selling the bank.
• If only the bridge institution tool is used and only part of the assets are transferred, the bank and its remaining assets/activities shall be wound up under normal insolvency proceedings.

The asset separation tool

• The DNB can transfer assets, rights or liabilities of a bank or a bridge institution to one or more asset management vehicles. This transfer does not require shareholder consent.
• An asset management vehicle must be wholly or partially owned by one or more public authorities and controlled by the DNB.
• The asset management vehicle will manage the assets transferred to it with a view to maximising their value through eventual sale or orderly wind-down.

The bail-in tool

• The bail-in tool is applied to absorb losses and recapitalise the distressed bank so that it once again meets its license requirements.
• The bail-in tool allows unsecured debt to be written down or converted to equity. That way, the creditors of a bank bear the losses and the need for a taxpayer bailout is avoided.
• The bail-in tool may be applied to all liabilities of a bank except for the liabilities excluded by the BRRD, which include covered deposits, secured claims, claims with an original maturity of fewer than seven days, claims of employees, claims of commercial or trade creditors and claims arising from the provision of goods or services to the bank that are critical to the daily functioning of its operations, including IT services, utilities and the rental, servicing and upkeep of premises.
• Once CET1 capital instruments have been wholly or partly written down, non-excluded liabilities are written down or converted into rights to newly issued shares or other instruments of ownership of the bank.
• For bail-in, the “no creditor worse off principle” applies, meaning that shareholders and creditors may not incur greater losses than they would have incurred if the bank had been wound up immediately beforehand under normal insolvency proceedings.

Minimum Requirements for Own Funds

Banks are subject to minimum requirements for own funds and eligible liabilities (MREL). The MREL serve to ensure that a bank maintains at all times sufficient eligible instruments to facilitate the implementation of the preferred resolution strategy. MREL is the European equivalent of worldwide Total Loss Absorbing Capacity standard (TLAC) developed by the Financial Stability Board (FSB).

DGS

If a bank is unable to meet its obligations towards eligible deposit holders, such deposit holders are protected under the Dutch implementation of the DGS. Please see 6.1 Depositor Protection Regime.

Banking Union

The banking union was created in 2014 as a key component of the economic and monetary union at European level in response to the financial crisis. To ensure a safer financial sector for the single market, the “single rulebook” was created as the backbone of the banking union and financial sector regulation in the EU. The banking union aims to ensure that the banking sector in the EEA is stable, safe and reliable, thus contributing to financial stability. The banking Union is undergoing continuous development as new initiatives are underway to strengthen its foundations.

In June 2022, the Eurogroup issued a statement on the future of the banking union, noting that the banking union remains incomplete. The Eurogroup agreed that the banking union should focus on strengthening the common framework for bank crisis management and national deposit guarantee schemes (CMDI framework).

The Commission put forward a proposal for a reform of the CMDI framework in April 2023, with a focus on medium-sized and smaller banks. The package includes legislative proposals on amending the bank recovery and resolution directive, the single resolution mechanism regulation and the deposit guarantee schemes directive. The reform aims to protect taxpayers’ money in crisis situations, shield the real economy from the impact of bank failures and strengthen depositor protection across the EEA.

Capital Markets Union

The Capital Markets Union (CMU) is the EU’s plan to create a truly single market for capital across the EU. Efforts to harmonise the EU’s capital markets are ongoing, while regulators are also looking to amend a number of existing rules. The CMU Action Plan, published by the European Commission in November 2021, includes legislative proposals relating to the following areas:

• European Single Access Point (ESAP): Under the provisional agreement, the ESAP platform is expected to be available from summer 2027 and will be phased in gradually to enable a robust implementation.
• Review of the European Long-Term Investment Funds (ELTIFs) regulation.
• Review of the Alternative Investment Fund Managers Directive (AIFMD): The review aims to better integrate the alternative investment funds (AIFs) market, improve investor protection and companies’ access to more diversified forms of financing, as well as strengthen managers’ ability to deal with liquidity pressure in stressed market conditions.
• Review of the Markets in Financial Instruments Regulation (MiFIR): The review includes the establishment of an EU-wide consolidated tape for shares, bonds, exchange-traded funds (ETFs) and derivatives, to increase market transparency and facilitate access to trading data. Another priority is to ensure that EU market infrastructure can remain competitive internationally.

There are a number of other legislative proposals under negotiation between the Council and the Parliament that relate to the CMU. The CMU provides an opportunity to harmonise market practices and enhance technical integration.

EU Banking Package

On 27 June 2023, the Council of the EU announced that it had reached provisional political agreement with the European Parliament (EP) on the proposed Directive amending CRD IV as regards supervisory powers, sanctions, third-country branches and ESG risks and the proposed Regulation amending the CRR as regards requirements for credit risk, credit valuation adjustment (CVA) risk, operational risk, market risk and the output floor.

The package implements the final set of international standards agreed by the EU and its G20 partners in the Basel Committee on Banking Supervision, so-called Basel III. Beyond the implementation of Basel III standards, the package also contains a number of measures to keep the EU prudential framework fit for purpose in terms of sustainability risks and in terms of supervision, including regarding third-country branches. It also provides stronger tools for supervisors overseeing EU banks.

The new rules amending the CRR are expected to apply from 1 January 2025, with certain elements of the regulation phasing in over the coming years. Changes related to the supervision of credit institutions are implemented via an amendment of the CRDIV and will have to be transposed by member states by mid-2025.

New Payment Rules

On 28 June 2023, the European Commission (EC) published its legislative proposals for payment services, financial data access and the establishment of the digital euro.

The legislative proposals consist of, inter alia:

• a third Payment Services Directive (PSD3) and a Payment Services Regulation (PSR);
• a Regulation for Financial Data access (FIDA); and
• a Regulation on the establishment of the digital euro (Digital Euro Regulation).

The PSD3, PSR and FIDA proposals are part of the EC “Financial data access and payments” package which was launched by the EC to modernise the regulatory landscape in relation to the provision of payment services and sharing financial services data.

The Digital Euro Regulation is part of the EC’s “single currency package” and sets out a framework for a possible new digital form of the euro that the ECB could choose to issue in the future, as a complement to cash.

The proposals will now go through the EU legislative process, which is expected to take around two years to complete. This brings the following expected timelines:

• PSD3, PSR and FIDA will, based on the current proposals, take around 18-24 months to apply/enter into force after the texts are agreed upon. Assuming that the texts of the regimes will be agreed in 2025, the new regimes will become binding in 2026.
• The Digital Euro Regulation will enter into force shortly after being finalised. However, the effect of the regulation will to a large extent depend on the progress regarding the development and issuance of the digital euro itself.

SSM Supervisory Priorities for 2023-2025

The ECB, in close collaboration with national competent authorities, has set the SSM supervisory priorities for 2023-2025. These priorities aim to strengthen supervisory efforts in delivering the medium-term strategic objectives while adjusting the focus to shifting challenges. Supervised institutions will be requested to strengthen their resilience to immediate macro-financial and geopolitical shocks (Priority 1), address digitalisation challenges and strengthen management bodies’ steering capabilities (Priority 2), and step up their efforts in addressing climate change (Priority 3).

EBA Financial Regulatory Work Programmes

Every year, the key EU financial regulatory institutions publish their annual Work Programmes, setting out their priorities for the year ahead. These priorities align with each institution’s broader longer-term “Strategy” (published every three to five years). On 3 October 2023, the EBA published its Work Programme for 2024. In 2024, the EBA will need to address a large number of mandates in a wide range of areas, building on the priorities defined in its programming document for the period 2024-2026:

• promote and implement an effective and proportionate Single Rulebook;
• foster financial stability in a sustainable economy; notably, the EBA will assess the need for changes to its stress testing methodology for the 2025 exercise;
• enable an integrated regulatory reporting system for authorities and market discipline;
• set up and start DORA oversight and MiCAR supervision (under DORA, the EBA will take part in 13 level-2 mandates, including oversight activities for which it will be assigned the role of Lead Overseer, while under MiCAR, the EBA expects to deliver around 20 technical standards and guidelines in 2024); and
• increase focus on innovation and consumers and ensure a smooth transition to the new AML/CFT framework; the EBA indicates it expects AMLA to be established in 2024.

DNB Payment Strategy 2022-2025

The Payments Strategy 2022-2025 of the DNB focuses on safeguarding trust because of increasing digitalisation. The strategy has three priorities:

• ensuring access to payments;
• maintaining a robust and reliable payment structure; and
• strengthening European and global payments, leveraging the Dutch experience.

A connected area is the risks associated with cybercrime attacks. Cyber resilience is to be given high priority. The Netherlands already has a test regime – TIBER tests – to understand if systems and infrastructure are resilient. These tests will be extended to include third parties who have a systemic role. Information sharing will receive a greater emphasis.

ESG requirements for Dutch-licensed banks primarily consist of (i) climate risk management requirements; and (ii) ESG disclosure requirements.

Climate Risk Management

Climate risk management requirements for banks primarily follow from the ECB’s Guide on climate-related and environmental risks (2020) (the “ECB Guide”). The ECB Guide is strictly speaking not binding for banks. However, it reflects the ECB’s understanding of how banks are expected to adequately manage climate risks under the current prudential framework, as primarily follows from CRD IV. The ECB, as direct supervisor of significant banks, applies the ECB Guide in its supervision. The DNB also applies the ECB Guide in its supervision of less significant banks, but in a proportionate manner.

The supervisory expectations in the ECB Guide can be summarised as follows:

• Business Strategy: Banks should integrate short-, medium-, and long-term climate risks into their business strategies.
• Risk appetite and governance: Banks should incorporate climate risks into their risk appetite frameworks, allocate responsibilities, and report aggregated risk data.
• Risk management: Banks should integrate climate risks into the risk management framework, conduct regular reviews and consider these risks across a range of risks, including credit, liquidity and operational risks.

In 2022, the ECB set three deadlines for banks to progressively align their climate risk management practices with the ECB Guide: 

• end of March 2023: to implement a materiality assessment (as detailed in the ECB Guide);
• end of 2023: to include climate risks in the areas of strategy, governance and risk management; and
• end of 2024: to achieve full alignment with supervisory expectations in the ECB Guide, ensuring the integration of climate and environmental risks into stress testing frameworks and the ICAAP.

In November 2023, the ECB communicated that it has started enforcement towards banks that have failed to adequately manage climate risks in line with the ECB’s expectations.

ESG Disclosure Requirements

According to the ECB Guide, banks should disclose material climate-related risks aligned with EU reporting guidelines. Additional (and more detailed) climate risk disclosures apply to large banks that are listed in the EEA (the Pillar 3 disclosures under the CRR).

Dutch-licensed banks that meet certain size criteria are within the scope of the Dutch implementation of the Non-Financial Reporting Directive (NFRD). These large banks must include a non-financial report in their annual accounts. This non-financial report covers environmental, social, and personnel matters, measures taken in respect of human rights and anti-corruption, as well as non-financial key performance indicators tied to the entity’s specific business activities. As of 2024, Dutch-licensed banks within the scope of the NFRD will have to publish additional information under the Corporate Sustainability Reporting Directive (CSRD) as implemented in Dutch law. 

Other ESG Requirements

Other ESG requirements relevant for Dutch-licensed banks include but are not limited to:

• The EBA Guidelines on loan origination and monitoring: These guidelines detail how banks should incorporate ESG factors into their credit risk policies for corporate lending.
• DCGC: The DCGC includes best practices on sustainability, emphasising long-term value creation for companies and the role of management boards in developing strategies and procedures to achieve this goal.
• Sustainable Finance Disclosure Regulation (SFDR): Banks providing portfolio management or investment advice services are subject to disclosure requirements following from SFDR. These disclosures cover, among other ESG topics, the integration of sustainability risks into the bank’s investment processes, and how the bank considers adverse impacts that investments may have on sustainability.